Friday 10 May 2013

Hackers stole $45M in ATM card breach

A gang of cyber-criminals stole $45 million in a matter of hours by hacking their way into a database of prepaid debit cards and then fanning out around the globe to drain cash machines, federal prosecutors said Thursday.
Brooklyn U.S. Attorney Loretta Lynch called it "a massive 21st-century bank heist" and compared its size to the Lufthansa heist in the late 1970s immortalized in the film "Goodfellas." Lynch said the fraudsters had moved with astounding speed to loot financial institutions around the world.
A security analyst said it was the biggest ATM fraud case she had heard of.
Seven people are under arrest in the U.S. in connection with the case, which prosecutors said involved thousands of thefts from ATMs using bogus magnetic swipe cards. The accused ringleader in the U.S. cell, Alberto Yusi Lajud-Pena, was reportedly murdered in the Dominican Republic late last month, prosecutors said. More investigations are ongoing and other arrests have been made in other countries, but prosecutors did not have details.
An indictment unsealed Thursday accused the eight of being members of the New York cell, saying they withdrew $2.8 million in cash from hacked accounts in less than a day. One of the suspects was caught on multiple surveillance cameras, his backpack increasingly loaded down with cash. Others took photos of themselves with giant wads of bills as they made their way up and down Manhattan.
Lynch said the cells would take a cut of the money then launder it through expensive purchases or ship it wholesale to the global ringleaders, but didn't say where they were located. Prosecutors said the scheme involved attacks on two banks, Rakbank, which is in the United Arab Emirates, and the Bank of Muscat in Oman.
Hackers obtained debit card data, eliminated withdrawal limits on the accounts, created access codes and then sent a network of operatives fanning out to rapidly withdraw money in multiple cities, authorities said.
Lynch called it a "virtual criminal flash mob." She said they could use any plastic card to withdraw the cash — an old hotel key card or an expired credit card — as long as they had the account data and correct access codes.
There were two separate attacks, one in December and one in February. In the second attack, more than 36,000 transactions were made worldwide and about $40 million was stolen.
Lynch would not say who masterminded the attacks globally, who the hackers are or where they were located, citing an ongoing investigation.
The seven men arrested in New York were U.S. citizens originally from the Dominican Republic, lived in Yonkers and were mostly in their 20s. Lynch said they all knew each other and were recruited together, as were other cells in other countries.
They were charged with conspiracy and money laundering. If convicted they face 10 years in prison.
Law enforcement agencies in Japan, Canada, Germany, Romania and 12 other countries have been involved in the investigation, U.S. prosecutors said.
Arrests began in March. Lajud-Pena was found dead with a suitcase full of about $100,000 in cash. The investigation into his death is also continuing separately.
Avivah Litan, an analyst who covers security issues for Gartner Inc., said similar ATM fraud schemes are not uncommon, but the $45 million stolen in this one was at least double the amount involved in previous, known cases. Middle Eastern banks and payment processors are "a bit behind" on security and screening technologies that are supposed to prevent this kind of fraud, but it happens around the world, she said.
"It's a really easy way to turn digits into cash," Litan said.
Some of the fault lies with ubiquitous magnetic stripes on the back of the cards. The rest of the world has largely abandoned cards with magnetic strips in favor ones with built-in chips that are nearly impossible to copy. But because U.S. banks and merchants have stuck to cards with magnetic stripes, they are still accepted in many places in the world.
In 1978, $5.8 million in cash was stolen from a Lufthansa Airlines vault at Kennedy Airport, a heist masterminded by Jimmy Burke, the inspiration for Robert De Niro's character in "Goodfellas."

Washington Courts Data Breach, Social Security & driver's license numbers Stolen

The Washington State Administrative Office of the Courts (AOC) announced that a security breach occurred on its public website. No court records were altered and no personal financial information, such as bank account numbers or credit card numbers, is maintained on the site. However, up to 160,000 social security numbers and 1 million driver license numbers may have potentially been accessed.(Washington Court)
The breach was discovered in February, and officials at first believed no confidential information was leaked even though a large amount of data was downloaded from the website, the Washington State Administrative Office of the Courts said.
But officials later determined that 94 Social Security numbers were definitely obtained by the person or group that committed the security breach, while 160,000 Social Security numbers and a million driver's license numbers may have been accessed.
"We regret that this breach has occurred and we have taken immediate action to enhance the security of these sites," the state's court administrator, Callie T. Dietz, said in a statement.
Officials were notifying by mail the 94 people whose Social Security numbers were accessed from the site, court officials said in the statement.
The people whose names and Social Security numbers might be at risk are those who were booked into a city or county jail in the state from September 2011 to December 2012, officials said.
The breach could also have exposed the driver's license numbers of people charged in the state's superior court criminal system between 2011 and 2012, the statement said.
Anyone who received a driving under the influence citation from 1989 to 2011 or had a traffic case filed or resolved in a district or municipal court between 2011 and 2012 might also be at risk, officials said.
No financial data such as credit card numbers was maintained on the court website, so officials said there was no risk of that information being accessed directly through the breach.
The breach was the latest in a series of hacks. In one prominent case, Cody Kretsinger of LulzSec, an offshoot of hacking group Anonymous, last year pleaded guilty in federal court in Los Angeles to taking part in a computer breach of Sony Pictures Entertainment that prosecutors say caused over $600,000 in damages. Last month, he was sentenced in California to a year in prison. (Reuters)

Washington Courts Data Breach, Social Security & driver's license numbers Stolen

The Washington State Administrative Office of the Courts (AOC) announced that a security breach occurred on its public website. No court records were altered and no personal financial information, such as bank account numbers or credit card numbers, is maintained on the site. However, up to 160,000 social security numbers and 1 million driver license numbers may have potentially been accessed.(Washington Court)
The breach was discovered in February, and officials at first believed no confidential information was leaked even though a large amount of data was downloaded from the website, the Washington State Administrative Office of the Courts said.
But officials later determined that 94 Social Security numbers were definitely obtained by the person or group that committed the security breach, while 160,000 Social Security numbers and a million driver's license numbers may have been accessed.
"We regret that this breach has occurred and we have taken immediate action to enhance the security of these sites," the state's court administrator, Callie T. Dietz, said in a statement.
Officials were notifying by mail the 94 people whose Social Security numbers were accessed from the site, court officials said in the statement.
The people whose names and Social Security numbers might be at risk are those who were booked into a city or county jail in the state from September 2011 to December 2012, officials said.
The breach could also have exposed the driver's license numbers of people charged in the state's superior court criminal system between 2011 and 2012, the statement said.
Anyone who received a driving under the influence citation from 1989 to 2011 or had a traffic case filed or resolved in a district or municipal court between 2011 and 2012 might also be at risk, officials said.
No financial data such as credit card numbers was maintained on the court website, so officials said there was no risk of that information being accessed directly through the breach.
The breach was the latest in a series of hacks. In one prominent case, Cody Kretsinger of LulzSec, an offshoot of hacking group Anonymous, last year pleaded guilty in federal court in Los Angeles to taking part in a computer breach of Sony Pictures Entertainment that prosecutors say caused over $600,000 in damages. Last month, he was sentenced in California to a year in prison. (Reuters)

DDoS Attack On Dutch Tax And Customs Website

Dutch Tax and Custom website were last night hit  by DDoS attack ,post as important news Tax and Customs Services on its website.
The sites are now available again but may be less or not reachable by new attacks.
The systems of several financial institutions from the Netherlands were targeted with a distributed denial-of-service (DDoS) attack earlier in April.
The minister of Security and Justice Opstelten wants the police and the judiciary to conduct remote investigation in criminals' computers and, if necessary, to take over data or to render them inaccessible.